Post navigation

Watch out folks! Our researchers at SophosLabs Canada alerted me this afternoon to the world’s first JavaScript fake scanner trying to convince Mac users that their computers are infected by a virus.

This step is extra important on OS X as users will have to install the malware and enter in their administrative credentials for the privilege of infecting themselves.

Even worse, the attackers are poisoning search terms and images related to Mother’s Day. Simply searching Google for seemingly innocent content to honor your mum could end up with a malware infection.

Fortunately you don’t have to infect your own Mac to find out what the experience is like. We made this video so you can see it in action from the safety of whatever device you prefer to surf the internet from. Watch and enjoy:

Mac users who happen upon a poisoned search result it will pop up a fake anti-virus scanner written in JavaScript that looks just like the OS X Finder application.

Windows users aren’t left out… They get their own fake popup, which we have seen all too often.

Early this week I wrote that we were seeing Mac fake anti-virus software spreading in the wild in greater numbers than before. I also noted that the fake scanner used as a part of the social engineering to trick you into installing it looks like Windows XP.

I hope they weren’t listening.

The criminals behind these attacks seem to be using Google’s search auto-complete technology to determine the most popular search terms to poison.

You can see Google automatic suggestions in the screenshot at right. We chose “Mothers day poems for kids” from the list and sure enough, some of the results lead to infections.

10 comments on “Mother’s Day search terms lead to Mac rogue security software”

that happened to me last night. i was surfing the web, for a new background picture on my macbook, so i opened one of taylor swift and this thing came up stating i had virsuses in my laptop. i was about to click remove all when i remembered i have never seen this layout on safari before and it was similar to the software that infected my desktop PC (i had to reboot that computer). i hadn’t even clicked anything and i saw something was downloading. i quickly stopped the download. and deleted it from my system through finder. i then did a full scan of my laptop via the sophos anti-virus. i found that i had nothing, which was a relief 🙂

Thanks for alerting us, but haven't we all become accustomed now to fake AV, and why in the world would ANYONE fall for this! The fact that Mac and Linux users don't normally run with root privileges means you have to volunteer to be infected in this way. Most of my Windows using friends still run on an admin account, even though they now use Vista or Win7, which don't default to this behavior, opening them up for a world of problems (most of which they call me to fix). If you DON'T allow install of this malware by entering your admin password, it has no way to install, and if you do allow install with an admin password, AV will NOT protect you, as far as I can tell. I still maintain that AV is extraneous on Mac and Linux. Good online behavior is far more important since all the AV on earth will not protect you from stupid.

Why in the world would anyone fall for this? Because they’re stupid. Stupid people deserve to have to pay good money for otherwise unnecessary software (e.g. AV on Mac or Linux), so the rest of us won’t have to waste our time trying to fix stupid.

@spookie – the social engineering aspect of this coupled with the fact that many mac users mistakenly believe they are immune to viruses is why this is effective. If the user believes they have a virus and this software will help them, they won’t think twice about authorizing the install with their admin password.

So far, it seems that many scams and fake stuff like this can only get through because people either do not read or do not speak English. Really. Practically every scam I've come across stands out because of the many horrible and obvious spelling, grammar and sentence construction mistakes. The first 'warning' in this scenario is a good example. If that doesn't ring your alarm bells, what will?

For all their ingenuity and scripting skills, these scammers simply seem unable to find anyone with basic language skills. Suckers.

That is idiotic!! I watched 40 sec of the google search and I'm going balistic … if anyone proceeded to that point !!! They deserve to be infected!! People don't spend 2,000 dollars on a computer and remain so stupid!! LAME IDOOTS that would!!

Mac Security is all you need .. all the AV software in the world can't fix STUPID!!

Anyone with half a brain would stop and reset their browser as should also do on Windows!!